Fixes #3236, disable SCT checking for a cosign verification when usin…

[jkjell]

…g a public key

• Closes Signed Certificate Timestamp with Long-lived Keys #3236

Summary

This changes remove the Signed Certificate Timestamp checking when providing a public key to cosign verify. One of the issues SCT verification causes is the retrieval of its public keys from the TUF CDN by default. This breaks verification in disconnected or restricted environment. SCT is not necessary to validate a key pair.

Release Note

[haydentherapper]

Thanks! Could you also make this change in the other verify* files, like

cosign/cmd/cosign/cli/verify/verify_attestation.go

Line 113 in 86252aa

if !c.IgnoreSCT {

,

cosign/cmd/cosign/cli/verify/verify_blob_attestation.go

Line 192 in 86252aa

if !c.IgnoreSCT {

,

cosign/cmd/cosign/cli/verify/verify_blob.go

Line 288 in 86252aa

if !c.IgnoreSCT {

[codecov]

Codecov Report

Merging #3237 (7eef302) into main (86252aa) will increase coverage by 0.01%.
The diff coverage is 40.00%.

@@            Coverage Diff             @@
##             main    #3237      +/-   ##
==========================================
+ Coverage   30.35%   30.37%   +0.01%     
==========================================
  Files         155      155              
  Lines        9834     9835       +1     
==========================================
+ Hits         2985     2987       +2     
+ Misses       6403     6402       -1     
  Partials      446      446              

Files Changed	Coverage Δ
cmd/cosign/cli/verify/verify.go	21.38% <0.00%> (-0.07%)	⬇️
cmd/cosign/cli/verify/verify_attestation.go	3.33% <0.00%> (ø)
cmd/cosign/cli/verify/verify_blob.go	49.78% <100.00%> (+0.86%)	⬆️
cmd/cosign/cli/verify/verify_blob_attestation.go	33.17% <100.00%> (ø)